Flatpak package [Planned]

WhyNotHugo

Hi! Flatpak is a package management system for Linux, that's supported across a variety of distributions.

It provides some pretty good isolation for desktop apps, which I personally appreciate due to the added security (it's not absolute isolation, but at least processes can't read freely read one's home filesystem without approval and other enhancements).

I've been thinking about creating a package with 1Password, would you guys be okay with that being submitted to Flathub?

Basically the descriptor for the package has this format, and merely fetches the source from your site:

app-id: org.onepassword.onepassword
runtime: org.freedesktop.Platform
runtime-version: '20.08'
sdk: org.freedesktop.Sdk
command: /app/squashfs-root/1password
modules:
  - name: 1password
    buildsystem: simple
    build-commands:
      - chmod +x 1password-0.9.5-2.AppImage
      - ./1password-0.9.5-2.AppImage --appimage-extract
      - cp -r squashfs-root/ /app
      # - install -D 1password-0.9.5-2.AppImage /app/bin/1password
    sources:
      - type: file
        url: https://downloads.1password.com/linux/appimage/1password-0.9.5-2.AppImage
        sha512: 6bfc61c9da5cca90279664ab7aab0cb30569720fb9bd168accc65068b570e11ba5c59942d19d88baa7c42dd4d647686b9480bd1d957df956dff2562b9846a5b0
finish-args:
  - --socket=x11
  - --share=network

Note: this is just and example and doesn't yet work.
It's just to kind reflect how the package is generated. Also, this still fails due to some SUID error with a bundled helper.

---

1Password Version: 0.9.5-2.AppImage
Extension Version: n/a
OS Version: ArchLinux
Sync Type: n/a
Referrer: forum-search:flatpak

MikeT

Hi @WhyNotHugo,

Thanks for taking the time to write in and for helping us with Flatpak, it is appreciated!

We do have plans to support Flatpak and Flathub, we've mentioned this a while ago in a thread here.

We just need time to set it all up to automate this in-house. We've just finished adding AUR support recently after adding Snap and we're working to add more including Flatpak.

According to Flathub here, they'd prefer that we do this as transferring ownership can be a bit problematic. So, let me nudge our team and see if we can do something sooner rather than later.

ref: dev/core/core#2453

WhyNotHugo

Thanks for your reply!

Seems like I missed the above link, thanks for pointing it out.

I take if you'd rather submit this yourselves rather than go through the transfer process then. If I manage to get a working flatpak descriptor then, I'll just go ahead and post it here so you guy can handle is as you prefer.

Thanks, cheers!

Blake

Thanks a ton for that @WhyNotHugo -- you can certainly post the flatpak descriptor here and we can grab the reigns and take it from there. 😊

WhyNotHugo

Kinda forgot about this. I've a working package -- mostly the metadata is missing, which I'm sure you'd prefer to fill in yourselves anyway:

com.1password.1Password.yml:

app-id: org.onepassword.onepassword
base: org.electronjs.Electron2.BaseApp
base-version: '20.08'
runtime: org.freedesktop.Platform
runtime-version: '20.08'
sdk: org.freedesktop.Sdk
command: 1password
rename-desktop-file: 1password.desktop
rename-icon: 1password
finish-args:
  # 1Password is X11-only, so we can skip the Wayland socket for now. 🤞
  - --socket=x11
  - --share=network
  # I think it shows notifications sometimes? If not, remove this:
  - --talk-name=org.freedesktop.Notifications
  # Required to avoid asking for a 2FA token on every run:
  - --talk-name=org.freedesktop.secrets
  - --filesystem=xdg-run/1Password-BrowserSupport.sock
  # TODO: There's a dbus-socket for desktops with a tray icon thingy.
  #       That should be exposed too.
modules:
  - name: 1password
    buildsystem: simple
    build-commands:
      - ar x 1password-*.deb
      - rm -f 1password-*.deb
      - tar xf data.tar.xz
      - rm -f control.tar.gz data.tar.xz debian-binary
      - cp -r usr/* opt/* /app
      - cp -r usr/* opt/* /
      - chmod -R a-s,go+rX,go-w /app/1Password
      # Original path here points to /opt/1Password:
      - sed -i 's|Exec=.*|Exec=1password %U|' /app/share/applications/1password.desktop
      - install -Dm755 1password.sh /app/bin/1password
      - install -Dm644 org.onepassword.onepassword.appdata.xml /app/share/appdata/org.onepassword.onepassword.appdata.xml
    sources:
      - type: file
        only-arches:
          - x86_64
        url: https://downloads.1password.com/linux/debian/pool/main/1/1password/1password-0.9.12-2.deb
        sha256: e27b0055eb9a55af081160fb7a270db1ba806483328a8161d68a0dc2d913ff84
      - type: script
        dest-filename: 1password.sh
        commands:
          # Share a TMPDIR, so that multiple instance can figure out there's
          # already one running.
          - export TMPDIR="$XDG_RUNTIME_DIR/app/$FLATPAK_ID"
          # This script is required to work around a lack of SUID sandbox helper:
          - exec zypak-wrapper /app/1Password/1password "[email protected]"
      - type: file
        path: org.onepassword.onepassword.appdata.xml

org.onepassword.onepassword.appdata.xml:

<?xml version="1.0" encoding="UTF-8"?>
<component type="desktop">
  <id>org.onepassword.onepassword</id>
  <name>1Password for Linux</name>
  <project_license>XXX</project_license>
  <developer_name>XXXX</developer_name>
  <summary>XXXXX</summary>
  <metadata_license>CC0-1.0</metadata_license>
  <url type="homepage">https://1password.com/</url>
  <url type="bugtracker">https://github.com/flathub/org.onepassword.onepassword/issues</url>
  <description>
    <p>
      XXXXX
    </p>
  </description>
  <screenshots>
    <image type="source">https://us.v-cdn.net/5020219/uploads/editor/1g/883ixuqsk6tc.png</image>
    <image type="source">https://us.v-cdn.net/5020219/uploads/editor/ae/cmnoxgrdxdp8.png</image>
    <image type="source">https://us.v-cdn.net/5020219/uploads/editor/zc/196a8xd2cohr.png</image>
  </screenshots>
  <releases>
    <release version="0.9.12" date="2021-02-09"/>
  </releases>
  <content_rating type="oars-1.1">
    <content_attribute id="violence-cartoon">none</content_attribute>
    <content_attribute id="violence-fantasy">none</content_attribute>
    <content_attribute id="violence-realistic">none</content_attribute>
    <content_attribute id="violence-bloodshed">none</content_attribute>
    <content_attribute id="violence-sexual">none</content_attribute>
    <content_attribute id="violence-desecration">none</content_attribute>
    <content_attribute id="violence-slavery">none</content_attribute>
    <content_attribute id="violence-worship">none</content_attribute>
    <content_attribute id="drugs-alcohol">none</content_attribute>
    <content_attribute id="drugs-narcotics">none</content_attribute>
    <content_attribute id="drugs-tobacco">none</content_attribute>
    <content_attribute id="sex-nudity">none</content_attribute>
    <content_attribute id="sex-themes">none</content_attribute>
    <content_attribute id="sex-homosexuality">none</content_attribute>
    <content_attribute id="sex-prostitution">none</content_attribute>
    <content_attribute id="sex-adultery">none</content_attribute>
    <content_attribute id="sex-appearance">none</content_attribute>
    <content_attribute id="language-profanity">none</content_attribute>
    <content_attribute id="language-humor">none</content_attribute>
    <content_attribute id="language-discrimination">none</content_attribute>
    <content_attribute id="social-chat">intense</content_attribute>
    <content_attribute id="social-info">none</content_attribute>
    <content_attribute id="social-audio">intense</content_attribute>
    <content_attribute id="social-location">none</content_attribute>
    <content_attribute id="social-contacts">intense</content_attribute>
    <content_attribute id="money-purchasing">none</content_attribute>
    <content_attribute id="money-gambling">none</content_attribute>
  </content_rating>
  <update_contact>[email protected]</update_contact>
</component>

Caveats:

• App descriptor parts can't start with numbers, hence the name onepassword.
• I don't use any "application tray" service, so I haven't tested that. I know another D-Bus socket needs to be exposed, but I'm not keen to include extra tweaks I can't test on my setup.

You can build+install this by running:

flatpak-builder --user --install build-dir com.1password.1Password.yml --force-clean

And run with:

flatpak run org.onepassword.onepassword

WhyNotHugo

In case you want to submit this to Flathub, here's the relevant docs: https://github.com/flathub/flathub/wiki/App-Submission

Dayton_ag

Thanks so much, @whynothugo! I'll bring this to the attention of the Development team. :chuffed::+1:

vincent_chernin

Recently electron-builder got experimental support for flatpak. Flathub integration is not built in yet but perhaps soon. Using electron-builder instead of repackaging the .deb may now be a viable option for building the 1password flatpak.

https://github.com/electron-userland/electron-builder/pull/5711

Dayton_ag

Oooh, very cool - thanks so much @vincent_chernin! :love: I'll pass this along to the Dev team to take a gander at. :smile:

WhyNotHugo

Have you guys had any chance to look into this?

The above manifest that I wrote works fine. I've been using it to build+install locally, just updating the version from time to time. Basically a proper description is missing, and that can be pushed to Flathub (or your own repository, if you prefer).

If you'd like some help setting up some form of pipeline, I'm available for consulting ont this kind of topic: [email protected]

ag_Christian

Hey there, @WhyNotHugo,

After investigating what we would need to add to a Flatpak configuration, we found that some of our flagship features like system authentication and browser integration can't currently work inside a Flatpak sandbox due to some allowed syscall restrictions. We have opened a GitHub issue to ask their team about what it would take to support this. Since we don't want to ship an application to our users missing large features, we will be holding off on a Flatpak package until something is worked out here, sorry.

WhyNotHugo

I understand the issues, but it seems a shame to take an "all or nothing" approach like this. 1P is something that's under continuous development, and nobody expects it to be absolutely perfect. An okay package is better than no perfect package.

In the end, you just force the end users (like myself) to package it manually, and the features will be absent anyway -- but with a lot of extra burden on the users for installation.

I'll say it also seems a bit silly to block this just due to the lack of access to the kernel keyring, when other very silly security issues exist. For example, even the latest version runs only via XWayland, which means any other XWayland application can snoop into what 1P is rendering and doing (these include things like Skype, Zoom, Steam games, etc). That's even if the snooping application is properly containerised/isolated.

I've pointed this out before, but even the latest version still has this issue (the lack of native Wayland support is also evident if you use 1P on a host with a hidpi display -- where it will render very blurry).

Do you have any objections submitting a community-maintained Flatpak package? Or should each user be forced to package 1P themselves?

James.Dressel_1P

Thanks Hugo,

Please don't submit a community-maintained package. Now that we're past the linux release, most of the team will be taking off tomorrow. Next week we're going to do some brainstorming on how we could integrate a flatpack release into our build and deploy system.

jmanes

Thought I'd chime in here!

I am a flatpak fan, and I have been waiting on a 1Password release on flathub. I'd enjoy getting something even if it is more limited than what you would get with a normal .rpm or .deb style install.

That being said, I've been patient and will continue to be. I am happy that the folks at 1Password have given Linux any attention at all! Thanks for your hard work thus far. I'll be waiting on that sweet sweet flatpak release!

k4n30

Going to raise my hand and agree as well.

I'd like something (anything) that works, even if it's lacking in features. My "native" OS packaging install broke a long time ago (https://1password.community/discussion/118182/glibc-requirements-changed) and it increasingly looks like it wont be fixed and filed under the "It's not a supported OS" response at some stage (which let's be honest, it isn't). I would be fine if it never worked on my OS (but it did way back in the beta/pre release days), so it just rubs more salt into the wound, that it no longer works.

I'm currently using the 1PasswordX extension in Firefox, but we all know it's inferior to the Linux application, and I'd prefer to keep my browser & password manager separate, so I don't care about autofill etc. they are just nice to haves (for most users). It's painful to have to open 1PasswordX to search for a password for MS teams (which is a flatpak) and copy and paste it out of my browser extension into the relevant app.

Side note: MS Teams & OS choice (Amazon Linux) are mandated for work. At home I run 1Password for Linux running natively on a "current" OS (but would much prefer flatpak), so I could use it on more devices (Fedora silverblue for example).

WhyNotHugo

Sure thing, I won't! Happy to hear it'll be under consideration.

Blake

Thanks Hugo!

We will circle-back here once we have concrete plans for how we can get a FlatPak release pushed into the world -- for now, just hang tight! 😊

Savanni

Hi, everyone. I wanted to come back to this thread one last time. We actually announced Flatpak support back in August!

https://1password.community/discussion/123068/1password-8-beta-8-2-2-6

We're keeping these up to date on both our beta channel and our stable channel:

flatpak install https://downloads.1password.com/linux/flatpak/1Password-beta.flatpakref
flatpak install https://downloads.1password.com/linux/flatpak/1Password.flatpakref

Have fun!